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ARTICLE INFO ABSTRACT 

Keywords: In the pursuit of anonymous authentication schemes that balance anonymity and accountability, various 
Anonymous authentication authentication schemes have been proposed. However, most of existing schemes cannot achieve linkability 
Linkability while holding public traceability. In this paper, we introduce a new variant of anonymous authentication called 
Traceability event-oriented linkable and traceable anonymous authentication (EOLTAA) and provide a generic construction. 
e tai In an EOLTAA scheme, a message to be authenticated binds an event. If two different messages binding 


the same event are authenticated by an identical user, anyone can link the two authentications and 
further reveal the user’s identity. Then we formally define the security requirements of EOLTAA, including 
unforgeability, anonymity, linkability and public traceability. We give a generic construction satisfying the 
security requirements. With this new authentication scheme, we construct the first decentralized, anonymous, 
linkable and publicly traceable e-voting based on blockchain. 


1. Introduction 


In the age of information technology, individuals electronically 
participate in activities more than ever, so that people can share infor- 
mation, express opinions, purchase goods, book flights and hotels over 
the Internet [1]. Meanwhile, people are more focus on the protection 
of privacy. For example, we may not want others to pay attention 
to what you said, what you bought and where you will go. It is 
therefore paramount to take actions to protect the privacy of users in 
the applications. 

Anonymity is a significant form of privacy protection. On the other 
hand, if an application only ensures the anonymity, the recipient may 
cannot be convinced of the integrity of transmitted messages. Since ma- 
licious adversary may modify the messages that will be transferred, or 
they merely want to transmit false messages without being identified. 
Thus, it is critical to ensure the validity of a message in the anonymous 
communication. One solution is to require the user to anonymously 
authenticate the delivered messages. 

Anonymous authentication plays a critical role in authenticating 
users while maintaining their privacy. In e-voting, the verifier should be 
able to verify the validity of a ballot without knowing the real identity 
of the corresponding voter. What’s more, many applications, such as 
e-cash, e-auction, e-voting, usually enable participants to anonymously 
take part in, but anonymity in turn leads to dishonest behaviors, such 
as double spending in e-cash and double submission in e-voting. In 
particular, these one-round systems always require users to involve in 
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only once, but misbehaving users may submit twice or more to abuse 
this anonymity to disturb the rules. For example, each voter is not 
allowed to vote twice in a voting numbered event, but he is able to join 
in other votings with different serial numbers. Thus, measures should 
be taken to restrict the behavior of these malicious users who attempt 
to engage in multiple times. 

Accountable anonymous authentication can further realize the 
trade-off between anonymity and accountability through detecting 
malicious behaviors. For example, if a voter votes twice in an e-voting 
with serial number event, then the double voting can be detected, and 
maybe the user’s identity can also be traced. Existing schemes, such 
as direct anonymous attestation with linkability [2], linkable group 
signatures [3,4], linkable ring signatures [5], linkable anonymous 
credentials [6], accountable ring signatures [7] and traceable attribute- 
based signatures [8,9], have been proposed to satisfy various degrees 
of accountability. For example, some linkable mechanisms only aim 
to detect whether two signatures are from the same signer without 
traceability, and some traceable mechanisms prefer to find the identity 
of a malicious user. 


Motivation. To achieve accountability, numerous linkable mechanisms 
and traceable mechanisms are designed to fulfill different requirements. 
Compared with the tracing performed by trusted parities, it is desirable 
to realize the public tracing mechanism that enables anyone to perform 


E-mail addresses: penglijnu@gmail.com (P. Li), laijunzuo@gmail.com (J. Lai), wuyd007@qq.com (Y. Wu). 


https://doi.org/10.1016/j.jisa.2021.102865 


Available online 19 May 2021 
2214-2126/© 2021 Elsevier Ltd. All rights reserved. 


P. Li et al. 


Table 1 

Comparison between our scheme and related schemes. 
Scheme Anonymity Linkability Traceability Public Generic 

traceability construction 

[10-12] v x x x v 
[2,5,13] v v x x x 
[14,15] v v x x v 
[9,16-18] V x v x x 
[7,8,19] v x v x v 
[6,20] s v v x x 
[3,4,21] v v v x v 
[22-26] v v v v x 
Ours v v v v v 


and cannot compromise others privacy if someone misbehaves. How- 
ever, current public tracing mechanisms in anonymous authentications 
have a major limitation: there is no generic construction to achieve 
public linking and public tracing so as to be compatible with different 
basic building blocks. We are motivated to put forward an anonymous 
authentication with a generic construction to achieve public linking 
and public tracing, and make the anonymous authentication to be more 
easily obtained. 


Our Contribution. In this paper, we concentrate on a new variant 
of anonymous authentication scheme. We achieve the event-oriented 
linkability and traceability in which anyone can determine whether two 
authentications are linked and can further trace a user, if and only if 
two different messages with an identical event are authenticated by the 
same user. Specifically, 


1. We present a new variant of anonymous authentication called 
event-oriented linkable and traceable anonymous authentication 
(EOLTAA) and provide a generic construction. We formally give 
the security requirements of EOLTAA, including unforgeabil- 
ity, anonymity, linkability and traceability. A message to be 
authenticated binds an event in an EOLTAA scheme that holds 
(i) unforgeability, i.e., anyone cannot forge an authentication in 
the name of a certain user; (ii) event-oriented linkability, if two 
different messages binding a common event are authenticated by 
the same user; (iii) public traceability, i.e., anyone can reveal a 
user’s identity if the user authenticates two different messages 
with the same event; (iv) anonymity and unlinkability, as long 
as a user authenticates either a message only once, or various 
different messages that own distinct events. 

2. We give a generic construction of EOLTAA to satisfy the above 
mentioned security requirements, and reduce the security to a 
set of assumptions. We also provide a comparison between our 
scheme and other works on anonymous authentication schemes 
in Table 1. If lattice-based signature schemes and zk-SNARK pro- 
tocols are exploited, we can obtain the first lattice-based anony- 
mous authentication scheme with linkability and traceability so 
as to resist quantum attacks. 

3. We further utilize the new authentication scheme to construct 
the first decentralized, anonymous, linkable and publicly trace- 
able voting scheme based on blockchain, and aim to address the 
double voting without any help from other parties. 


The remainder of the paper is organized as follows. In Section 2, we 
review some related work. In Section 3, we give some preliminaries. 
Then we define our event-oriented linkable and traceable anonymous 
authentication in Section 4. Section 5 contains the construction and 
security theorems. We further propose a voting protocol based on 
blockchain in Section 6, and conclude in Section 7. 
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2. Related work 
2.1. Anonymous authentication 


Anonymous authentication offers a great privacy protection to 
users. Direct anonymous attestation [27] is the method for remote 
authentication of a hardware module while preserving the privacy of 
the user of the platform that contains the module. It can be considered 
as a group signature scheme without the feature that a signature can be 
opened. [28] is an efficient direct anonymous attestation scheme such 
that it is suitable for resource constrained environments. An anonymous 
signature [29], as a special kind of digital signature scheme, is designed 
to ensure that signatures do not reveal the signer’s identity. Based 
on [29], [30] further presents a general and efficient way to construct 
such anonymous signature schemes. However, they only ensure the 
basic anonymity of users without linking or tracing. 

Group-oriented signature schemes play an important role in anony- 
mous authentication. In a ring signature scheme [31], any member 
of a group can anonymously sign messages on behalf of the group, 
and it is impossible to decide whether two signatures are issued by 
the same group member [32], i.e., there is no linkability. Some prac- 
tical ring signature schemes and their variants have been present, 
such as identity-based ring signature [33], attribute-based ring sig- 
nature [34], threshold ring signature [35]. These schemes achieve 
anonymity without accountability. 

Some anonymous authentication schemes are designed to combine 
with an access policy. Policy-based signatures [36] ensure that a sig- 
nature does not reveal the policy associated to the signing key and 
neither the witness that is used to create the signature. An attribute- 
based signature [12] allows a user, whose attributes satisfy a signing 
policy, to sign a message without revealing any other information about 
the signer’s identity or attributes. Decentralized attribute-based signa- 
tures [37] are designed to remove the central authority and the trusted 
setup in the multi-authority attribute-based signatures. Anonymous 
credentials [38] enable the authentication of users without revealing 
their identity. In an anonymous credential system [11,39], users au- 
thenticate themselves by attesting the possession of credentials while 
not disclosing any other information about themselves [40]. Usually, it 
is unlinkable to previous uses of the same credential, or to any other 
identifying information about the user. Some works further extended 
the anonymous credential schemes to support delegation [41], revoca- 
tion [18], update [10], hidden policies [42], blacklist [43] and so on. 
All the above mentioned schemes cannot realize linking and tracing. 


2.2. Accountable anonymous authentication 


Accountable anonymous authentication can achieve the possibility 
to detect double authentication, or to directly reveal the misbehaved 
user’s identity, instead of ignoring the fact that users may misbehave 
without worrying about being punished. Linkable group signature [6, 
44] and linkable ring signature [5,14] have the common functionality 
of determining whether two given signatures are made by the same 
group member. Similarly, [2] is an anonymous attestation scheme 
that also achieves the same linkability. Attribute-based signatures with 
controllable linkability can check if two signatures are created by the 
same signer without breaking anonymity, and [13] allows an entity 
who has a linking key to perform the detection, but [15] achieves 
the public linking that can be run by any party. Linkable anonymous 
authentication [45] enables everyone to link the authentications if the 
same key holder authenticates two messages sharing the same prefix. 
We can consider this kind of linkability as a lightweight accountability, 
which cannot further achieve traceability. 

A stronger accountability is just like to trace the user and reveal the 
corresponding identity, so as to avoid abuse of anonymity. In a group 
signature scheme [46], any group member can anonymously sign mes- 
sages on behalf of the group. However, to settle a dispute, any signer’s 
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identity can be traced by a group manager. In [19], authors designed 
a fully-anonymous group signature to implement privacy-friendly au- 
thentication mechanism, and there is an opening authority to track a 
user’s identity. Additional, the traceable designated verifier signatures 
in [17], accountable ring signatures in [7], traceable attribute-based 
signatures in [8,9] and attribute-based anonymous credentials in [16] 
introduce a trust third party to reveal the user’s identity, but these 
schemes do not implement the above linkability. 

Some schemes achieve the linkability and traceability simultane- 
ously with the help of trusted parities. In [47] and [20], a linking 
authority can link signatures without identifying the signers, and an 
opener can open a signature to ensure the traceability. In [4], the 
auditing manager is introduced to determine whether two signatures 
come from the same signer, and the supervision manager has the ability 
to further trace the signer’s identity. In [21], the link manager and trace 
manager implement the linking and tracing, respectively. In [3], an 
opener can show if a signature is created by a specific member, and can 
prove whether two signatures originate from the same signer without 
disclosing anything else. In [48], the authors introduces a revocable 
and linkable ring signature scheme, in which two signatures created 
by the same user can be linked and a revocation authority is able to 
revoke the anonymity of a certain user. All these above schemes are 
not publicly traceable. 


2.3. Publicly traceable anonymous authentication 


[22] is a separable linkable threshold ring signature scheme, which 
allows anyone to determine if two signatures are created from the same 
group member and identify the member’s identity. [26] is a tracing- 
by-linking group signature scheme, which enables a public algorithm 
to trace a member’s identity without needing any trapdoor if he signs 
twice. [49] is a k-times anonymous authentication scheme in which a 
user can be anonymously authenticated as long as the number that he is 
authenticated is within an allowable number. If a user is authenticated 
beyond the allowable number, anyone can trace him without help from 
the authority. [24] is an event-oriented k-times revocable-iff-linked 
group signature scheme, which ensures that no party can revoke the 
anonymity of a signer, but everyone can identify the signer if he signs 
more than k times for a particular event. [50] is a revocable-iff-linked 
ring signature scheme, which makes a signer to be linked and his 
identity to be revoked by everyone if he signs twice or more. [51] 
and [25] introduce a traceable ring signature scheme, in which anyone 
who creates two signatures for different messages with respect to the 
same tag can be publicly traced. [23] proposes an ID-based linkable 
and revocable-iff-linked ring signature such that everyone can compute 
a signer’s identity if he creates two linkable ring signatures in the same 
event. These schemes ensure the property of public traceability, but 
they do not have a generic construction. 


3. Preliminaries 
3.1. Digital signatures 


Digital signatures can be used to authenticate the origin and the 
integrity of a message [52]. A digital signature scheme consists of three 
algorithm: (Setup, Sign, Verify). 


— Setup(1*) —> (pk,sk) is a algorithm which takes as input a 
security parameter 4 and outputs a public key pk and a secret 
key sk. 

-— Sign(m, sk) — o is a algorithm which takes as input a message 
m and a secret key sk, and produces a signature o. 

— Verify(m, pk,o) —> 0/1 is a algorithm which takes as input a 
message m, a public key pk and a signature o, and returns 1 or 0 
for valid or invalid. 
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A digital signature is said to be secure if it satisfies existentially 
unforgeable under a chosen-message attack [53]. A signature scheme 
is existentially unforgeable if, given any polynomial number of pairs 
(m1, 01), (m, 02), ..., (Mg, Ck), Where o denotes the signature on the mes- 
sage m, it is computationally infeasible to generate a pair (m,,),0;41) 
for any message m,,, É {mj,,...,m,} [54]. This means that no efficient 
adversary who is given a signature for some messages of his choice can 
generate a signature for a new message with non-negligible probability. 

Existential unforgeability against adaptive chosen message attacks 
for a signature scheme is defined using the following game. 


Setup. The challenger runs Setup. It gives the adversary .A the public 
key pk and keeps the secret key sk to itself. 


Query. A issues signature queries m,,...,m,. To each query m;, A 
responds by running Sign to create a signature o; on m; and 
sending o; to A. These queries may be asked in an adaptive 
manner so that each query m; may be dependent on the replies 
to m,,...,Mj_1- 

Forge. A outputs a forgery (m*,o*). A wins if o* is a valid signature 
of m* and m* is not among the messages m; queried during the 
query phase. 


Definition 1. A digital signature scheme is existentially unforgeable 
against adaptive chosen message attacks, if no probabilistic polynomial- 
time adversary A can win in above game with non-negligible probabil- 


ity. 
3.2. zk-SNARKs 


A zero-knowledge proof enables one to build a cryptographic proof 
so as to convince others that he indeed knows a secret witness without 
disclosing any additional information [55]. The tool is useful to prove 
that one correctly follows the protocol instead of deviating from it. For 
instance, for a public value x, one knows a certain witness w so that 
f(w) = x, where f is a public function. 

The zero-knowledge succinct non-interactive argument of knowl- 
edge (zk-SNARK) [56] enables a proof to be generated non- 
interactively, and what’s more, the proof is succinct, i.e., the proof 
is very short and easy to verify [57]. A zk-SNARK can be exploited 
for further achieving a kind of designated proof, just like to perform 
a protocol in order to generate a witness w such that C(x,w) = 1 
with the circuit C and a statement x [58]. For a circuit C : {0,1}"x 
{0,1}? > {0,1}, its satisfaction problem is a relation R, = {(x,w) € 
{0,1}" x {0,1}?|C(x,w) = 1}, and its NP-complete language is £, = 
{x © {0,1}"|dw € {0,1}, s.t.,C(x,w) = 1}. Then, with a public x, one 
can attest a secret witness w satisfies C(x, w) = 1 such that x € £.. 

Specifically, a zk-SNARK is a triple of algorithms (Setup, Prover, 
Verifier). 


— Setup(1*,C) — pp is a algorithm which, on input a security pa- 
rameter 4 and a circuit C, outputs the system’s public parameters 
pp. The algorithm is only required to run once per circuit. 

— Prover(pp, x, w) — z is a algorithm which, on input the public 
parameters pp, a public x and a witness w, outputs a proof z. 

— Verifier(pp,x,z) —> 0/1 is a algorithm which, on input the 
public parameters pp, a public x and a proof z, outputs 1 if z 
is a valid proof such that x € £.. 


Therefore, one can exploit the above algorithms to establish a non- 
interactive and succinct proof for the language £,, and others can verify 
whether the proof is valid to attest a statement x € £.. 

The zk-SNARKs satisfy the following properties: (i) Completeness. 
Prover can generate a proof and convince the verifier that the prover 
knows a witness corresponding to the statement. (ii) Soundness. No 
polynomial-time adversary can forge a proof for a statement without 
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knowing its corresponding witness. (iii) Proof of Knowledge. There exists 
an extractor algorithm such that if a prover convinces a verifier, then 
given oracle access to the prover, the extractor algorithm can actually 
output the witness. (iv) Zero-Knowledge. The proof leaks nothing except 
for the statement. (v) Succinctess. The proof size is linear in the security 
parameter. 


4. Event-oriented linkable and traceable anonymous authentica- 
tion 


4.1. Syntax 


An event-oriented linkable and traceable anonymous authentication 
(EOLTAA) consists of the following seven algorithms. 


— CSetup(1*) — (MPK, MSK). The master key generation algorithm 
is a function that takes as input a security parameter A, and 
outputs a master public key MPK and a master secret key MSK. 

— UKeyGen(1*) — (upk,usk). The user key generation algorithm is 
a function that takes as input a security parameter 4, and outputs 
a public key upk and a secret key usk. 

— CertGen(upk,MSK) —> o. The certificate generation algorithm 
takes as input a user’s public key upk and the master secret key 
MSK. It outputs a certificate o that can validate the corresponding 
public key upk. 

— Auth(m = e || p,upk,usk,o,MPK) —> m~. The authentication 
algorithm takes as input a message m that has an event identifier e 
and a payload p, a user’s public key upk, secret key usk, certificate 
c, and the master public key MPK. It outputs an authentication 
token z on the message m. 

— Verify(m,z,MPK) —> 0/1. The verification algorithm takes as 
input a message m, an authentication token z and the master 
public key MPK. It outputs 1 or 0 to decide whether the proof 
is valid or not. 

— Link(m,,m, 7}, 72) — 0/1. The link algorithm takes as input two 
valid message and authentication token pairs (m,, 1), (m, 2). It 
outputs 1 if two messages binding a common event are authenti- 
cated by the same user; otherwise, it outputs 0. 

— Trace(m;, m, 7%], %3) —> L/upk. The trace algorithm takes as 
input two valid message and authentication token pairs (m,, z,), 
(my, >). It outputs a public key upk which points to the user who 
authenticates two messages binding a common event; otherwise, 
it outputs the error symbol L. 


Any construction of EOLTAA must be correct. 


Definition 2 (Correctness). An EOLTAA scheme is correct if it has 
verification correctness, linking correctness and tracing correctness: 


+ Verification correctness. An authentication token produced by an 
honest user should be accepted by the Verify algorithm. 

+ Linking correctness. If two honestly created authentication tokens 
are determined as linked, then they must have been generated by 
an identical user with respect to the same event. 

e Tracing correctness. In the case of linked, an honest user’s public 
key will be revealed by the Trace algorithm. 


4.2. Notions of security 
Security of EOLTAA schemes has four aspects: unforgeability, 


anonymity, linkability and traceability. 


Unforgeability. Unforgeability for EOLTAA schemes is defined as the 
following game between the Challenger C and the Adversary A. 


1. C runs CSetup(17) to create a master key pair (MPK,MSK), and 
runs UKeyGen(17) to generate n public-secret key pairs (upk,,usk,), 
...,(upk,,usk,), and gives MPK, upk,,...,upk, to A. 
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2. A gives C a public key upk; € {upk,,...,upk,}. C runs CertGen 
(upk;, MSK) and returns a certificate o;. 

3. A chooses and sends a public key upk, and a message m, to C, and 
asks C to authenticate m,. Then, C runs Auth(m,, upk ;,usk;,0;,MPK) 
and outputs a corresponding authentication token z;,. 

4. A selects a public key upk*, a new message m* and creates a 


corresponding authentication token z*, and outputs upk*,m*, x*. 
A wins if: 


(1) Verif y(m*, z*, MPK) = 1; 
(2) (upk*,m*) is not among the pairs (upk;,m;) generated during the 
query phase. 


We denote by Advi)" (A) = PrLA wins the game] the success proba- 
bility of adversary A in winning the unforgeability game. 


Definition 3 (Unforgeability). An EOLTAA scheme is unforgeable if for 
all PPT adversary A, Adv% (4) is negligible. 


Anonymity. Anonymity for EOLTAA schemes is defined as the follow- 
ing game between the Challenger C and the Adversary A. 


1. A runs CSetup(17) to create a master key pair (MPK, MSK), and 
gives MPK to C. 

2. C runs UKeyGen(1*) to generate two public-secret key pairs (upk, 
usko) and (upk,,usk,), and gives two public keys upky,upk, to A. 
Then, A returns two corresponding certificates og, o; to C. 

3. A selects a public key upk; € {upko, upk; } and a message m,, and 
asks C to authenticate m,, but all the queried messages cannot 
have a common event. C runs Auth(m;, upk ;, usk ;,0;, MPK) and 
outputs a corresponding authentication token z,. 

4. A chooses and sends C a new message m* which is not in the set 
{m,} and cannot have a common event with queried messages. 
C randomly picks b € {0,1}, uses (upk,,usk,,o,) to authenticate 
m*, and returns the newly generated authentication token z* to 
A. After receiving z*, A outputs the guess b’. 


A wins if b' = b. 
We denote by Adv4"""(A) = [Pri A wins the game] — A the success 
probability of adversary A in winning the anonymity game. 


Definition 4 (Anonymity). An EOLTAA scheme is anonymous if for all 
PPT adversary A, Adv” (A) is negligible. 

Linkability. Linkability for EOLTAA schemes is defined as the follow- 
ing game between the Challenger C and the Adversary A. 


1. C first runs CSetup(1ĉ) to create a master key pair (MPK, MSK), 
calls UKeyGen(1^) to generate n public-secret key pairs (upk,,usk,), 
...,(upk,,usk,), and gives MPK, upk,,...,upk, to A. 

2. A runs UKeyGen(1*) to create a public-secret key pair (upk, usk), 
and sends upk to C. C runs CertGen(upk,MSK) and returns a 
certificate o. 

3. A chooses a public key upk;, a message m,, and asks C to au- 
thenticate m,. C runs Auth(m;, upk ;,usk ;,0;, MPK) and outputs a 
corresponding authentication token z. 

4. A selects two message m{, m} sharing a common event and cre- 
ates two corresponding authentication tokens z/,2}, and outputs 
(mi, a7) and (m5, 23). 


A wins if: 
(1) Verif y(m*, 7°, MPK) = 1 fori =1,2; 
(2) Link(m},m;, 7}, 75) =U, 


We denote by Advii"*(A) = Pr[ A wins the game] the success proba- 
bility of adversary A in winning the linkability game. 
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Definition 5 (Linkability). An EOLTAA scheme is linkable if for all PPT 
adversary A, Advii"*(A) is negligible. 


Traceability. Traceability for EOLTAA schemes is defined as the fol- 
lowing game between the Challenger C and the Adversary A. 


1. C runs CSetup(17) to create a master key pair (MPK,MSK), and 
runs UKeyGen(17) to generate n public-secret key pairs (upk,,usk,), 
...,(upk,,,usk,), and gives MPK, upk,,...,upk, to A. 

2. A first runs UKeyGen(1) to create a public-secret key pair (upk, 
usk), and sends upk to C. C will return a certificate o by running 
CertGen(upk, MSK). Then, A gives C a public key upk; € {upk,,..., 
upk, }. C runs CertGen(upk;, MSK) and returns a certificate o;. 

3. A chooses a public key upk;, a message m;, and asks C to au- 
thenticate m;. C runs Auth(m;, upk;, usk ;,0;, MPK) and outputs a 
corresponding authentication token z;. 

4. A selects two message m{, m} sharing a common event and cre- 
ates two corresponding authentication tokens z*, m3, and outputs 
(mi T7) and (m5, 73). 


A wins if: 


(1) Verif y(m*, *, MPK) = 1 fori =1,2; 
(2) Link(m},m;, x}, 75) al 
(3) Trace(m;,m;, Ti, 1) = L/upk’, but upk' £ upk. 


We denote by Adv//4@(A) = Pr[A wins the game] the success 
probability of adversary A in winning the traceability game. 


Definition 6 (Traceability). An EOLTAA scheme is traceable if for all 
PPT adversary A, Adv?” (A) is negligible. 


5. Our Proposed EOLTAA 
5.1. Generic construction 


Similar to other anonymous authentication schemes, we also utilize 
the zero-knowledge proof technique to achieve anonymity. Specifically, 
we apply zk-SNARK to obtain an efficient construction. Since the 
assurance contributing to linkability-and-traceability is the event, con- 
sequently, we will exploit it to support an anonymous-and-accountable 
requirement. In a nutshell, the authentication process creates a linking 
tag committed to the event and the user’s secret key. To satisfy the 
requirement of traceability, we will also provide a tracing tag which 
will be used for tracking. 

Let S = (S.Setup, S.Sign, S.Verify) and U = (U.Setup, U.Sign, U.Verify) 
be two signature schemes, VPK, USK be the public key space and 
secret key space of the signature scheme U. Without loss of generality, 
the secret key space USK is defined in a finite field. We assume the 
public function F : VSK — VPK denotes a map between the secret 
key space and public key space, and satisfies the homomorphic prop- 
erty. Let Z = (Z.Setup, Z.Prover, Z.Verifier) be the zk-SNARK protocol. 
The EOLTAA scheme is constructed as follows. 


— CSetup(1*, £). The master key generation algorithm first invokes 
S.Setup(1*) to create a signing key msk and a verification key 
mpk, and calls Z.Setup(1*,£) to obtain the public parameters pp 
for zk-SNARK, where the language £ is depicted in the following 
authentication algorithm. It also chooses two hash functions H : 
{0, 1}*x{0,1}* — USK and H' : {0,1}*x{0,1}* — USK. The 
master public key is MPK = (mpk, pp, H, H’), the master secret key 
is MSK = msk. 

— UKeyGen(1*). The user key generation algorithm calls U.Setup(17) 
to obtain a secret key usk, € USK and a public key upk; E VUPK. 


1 For example, the public key is y = g* (x is the secret key). 
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— CertGen(upk;,MSK). The certificate generation algorithm calls 
S.Sign(upk;,msk) to compute a signature o; on a public key upk,, 
and outputs o;. 

— Auth(m = e || p, upk;,usk;,0,;, MPK). On input a message m including 
an event identifier e and a payload p, the authentication algorithm 
does the following: 


1. Compute a linking tag t} = H(e,usk;) and a tracing tag 
ty = H'(e,usk,; || upk;) + p- usk;. 

2. Let x = (m,t,,t),MPK) be the common knowledge, w = 
(upk;,usk;,o;) be the private witness. Call proving algo- 
rithm Z.Prover(x, w, pp) of zk-SNARK for the language £ = 
{x = (m, t,t), MPK) | dw = (upk;,usk;,0;), s.t., upk; = F (usk;) 
A S.Verify(upk;,o;,mpk) = 1 Aty = H(e,usk;) Ah = H' 
(e,usk; || upk;) + p- usk;}, where F is to confirm if the two 
keys correspond to a public-secret key pair, and the S.Verify 
algorithm is used for checking whether œg; is a valid certifi- 
cate. Then Z.Prover algorithm will produce a proof 7 related 
to the statement x € £. 

3. Output an authentication token z = (t;, t3, 1). 


— Verify(m, z, MPK). The verification algorithm invokes Z.Verifier(x, 
x, pp), and outputs 0 or 1 for invalid or valid, respectively. 

— Link(m,,m, 2), 77). The link algorithm outputs 1 if two linking 
tags in 2,,z, are the same. Otherwise, it outputs 0. 

— Trace(m,,m , 71, %2). If two different messages m,m, bind a com- 
mon event e, the trace algorithm computes a derived secret key 
usk; and calls the function F to calculate the corresponding public 
key upk; = F(usk;) pointing to the user i. 


5.2. Security theorems 
We state the following theorems on the security of our construction. 


Theorem 1 (Unforgeability). Assume the signature scheme S is unforgeable, 
the function F is one-way and the zk-SNARK scheme Z is proof-of- 
knowledge, then an EOLTAA scheme is unforgeable in the random oracle 
model. 


Proof. To prove the unforgeability of our EOLTAA scheme, we distin- 
guish the following two types of forgers: 

Type-1 forger: In challenge phase, the adversary outputs a three- 
tuple (upk*, m*,z*) where the upk* has never been queried by a forger 
in certificate query phase. 

Type-2 forger: In challenge phase, the adversary outputs a three- 
tuple (upk*,m*,2*) where the upk* has been queried by a forger in 
certificate query phase. 

We prove this theorem by the following two lemmas. 


Lemma 1. Suppose the signature scheme S is unforgeable and the zk- 
SNARK scheme Z is proof-of-knowledge, then the EOLTAA scheme is 
unforgeable against the Type-1 forger in the random oracle model. 


Proof. Suppose there exists an adversary A, that can break the 
unforgeability of our EOLTAA scheme with non-negligible probability. 
We build an algorithm B against the unforgeability of the signature 
scheme S. 

Let Cy, be the challenger corresponding to B in the game with 
respect to the signature scheme S. B runs A, to execute the following 
steps. 

The challenger Cy; invokes S.Setup algorithm to create a key pair 
(mpk,msk), and sends mpk to B. B calls Z.Setup algorithm to gen- 
erate parameters pp for zk-SNARK, and selects two hash functions 
H,H'. Let MPK = (mpk, pp,H,H’). B runs U.Setup algorithm to cre- 
ate n public and secret key pairs (upk,,usk,),...,(upk,,usk,). Then, B 
sends MPK, upk,,...,upk, to Ag. When A, sends a public key upk; € 
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{upk,,...,upk, } to B, B will send it to C;. Then C ș runs S.Sign algorithm 
to generate a corresponding signature o; and sends it to B, then B 
returns this signature to Apg. And when A, sends a public key upk; € 
{upk,,...,upk,} and a message m; to B, B will invoke the simulator 
algorithm of zk-SNARK to generate a corresponding authentication 
token z,, and sends it to Ap. Finally, A; outputs upk*,m*,x* where 
upk* has never been queried before. 3 invokes the extractor algorithm 
of zk-SNARK to extract the witness (upk*, usk*,o*) from z*, and outputs 
(upk*,o*) as his forgery. 

Assume A, successfully forges a valid x*, which will pass verifica- 
tion by Z.Verify, then (upk*,o*) can also pass verification by S.Verify. 
Since upk* has never been queried in the certification query phase, then 
(upk*,o*) is a valid forgery against signature scheme S. Therefore, in 
this case we would have a successful forger B against S, contradicting 
the hypothesis in the statement of the theorem which claims that S is 
unforgeable. O 


Lemma 2. Suppose the function F is one-way and the zk-SNARK scheme 
Z is proof-of-knowledge, then the EOLTAA scheme is unforgeable against 
the Type-2 forger in the random oracle model. 


Proof. Suppose there exists an adversary A, that can break the 
unforgeability of our EOLTAA scheme with non-negligible probability. 
We build an algorithm B against the one-wayness of function F with 
non-negligible probability. 

Let Cp be the challenger corresponding to B in the game with 
respect to the one-way function F. B runs A, to execute the following 
steps. 

The challenger Cp selects a secret key x, € USK and computes 
a corresponding public key y such that the public key has the homo- 
morphic property, and sends y to B. B invokes S.Setup algorithm to 
create a key pair (mpk,msk) and calls Z.Setup algorithm to generate 
parameters pp for zk-SNARK, and selects two hash functions H, H’. 
Let MPK = (mpk, pp,H,H’). B also randomly chooses x,,...,x, from 
USK, and sets upk, = y,upky = y- F(xp),...,upk, = y+ F(x,). Then, B 
sends MPK,upk,,...,upk, to Ag. When A, sends a public key upk; € 
{upk,,...,upk,} to B, B will return a corresponding o; by running S.Sign 
algorithm. And when A, sends a public key upk; € {upk,,...,upk,} 
and a message m; to B, B will return a corresponding authentication 
token z; by calling the simulator algorithm of zk-SNARK. Finally, A; 
outputs upk*, m*,z* where upk* has been queried before. 3 invokes the 
extractor algorithm of zk-SNARK to recover the witness (upk*, usk*,o*). 

Given upk* and usk*, B can easily obtain the secret x, such that 
y = F(x,). This means that B breaks the one-wayness of F. B never 
fails when A, succeeds, which concludes the proof. O O 


Theorem 2 (Anonymity). Assume the zk-SNARK scheme Z is zero- 
knowledge, then an EOLTAA scheme is anonymous in the random oracle 
model. 


Proof. Suppose there exists an adversary A, that can break the 
anonymity of our EOLTAA scheme with non-negligible probability. Let 
C be the challenger corresponding to A, in this game. 

The adversary A, invokes S.Setup algorithm to create a key pair 
(mpk, msk) and calls Z.Setup algorithm to generate parameters pp for zk- 
SNARK, and selects two hash functions H,H’. Let MPK = (mpk, pp,H, 
H’). Ag sends MPK to C. C selects two secret keys uskg,usk, and calls 
F to obtain the corresponding public keys upky,upk,. When C sends 
upky,upk, to Ag, Ag will return o9,0, by running S.Sign algorithm. 
And when A, sends a public key upk; € {upkọ, upk; } and a message m; 
to C, C will return a corresponding authentication token z; by calling 
the simulator algorithm of zk-SNARK. Next, A, sends a message m* to 
C, C will randomly pick b € {0,1} and use (upk,,usk,,o,) to create a 
corresponding authentication token z*, and sends x* to Ap. Finally, 
Apg outputs the guess b’. 
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The information of b only exists in the witness (upk,, usk,,o,) which 
is used to generate the authentication token x*. Since x* is a zero- 
knowledge proof that will not leak any information about the witness. 
Thus, the advantage that A, can guess b correctly is always k Bi 


Theorem 3 (Linkability). Assume the zk-SNARK scheme Z is zero- 
knowledge, then an EOLTAA scheme is linkable in the random oracle 
model. 


Proof. Suppose there exists an adversary A, that can break the 
linkability of our EOLTAA scheme with non-negligible probability. Let 
C be the challenger corresponding to Ap in this game. 

The challenger C runs S.Setup algorithm to create a key pair (mpk, 
msk) and invokes Z.Setup algorithm to generate parameters pp for zk- 
SNARK, and selects two hash functions H, H’. Let MPK = (mpk, pp, H, 
H’). C runs U.Setup to create n key pairs (upk,,usk,),...,(upk,,usk,), and 
sends MPK, upk,,...,upk, to Ap. Ap first calls U.Setup to generate a key 
pair (upk4,usk4), and sends upk, to C. C will return a corresponding 
o4 by running S.Sign algorithm. When A, sends a public key upk; € 
{upk,,...,upk,,} and a message m; to C, C will return an authentication 
token z; by calling the simulator algorithm of zk-SNARK. Finally, A; 
selects two messages m{,m} sharing a common event, generates the 
corresponding Ty» T3» and outputs (mi, zi), (m5, 53). 

Since the zk-SNARK is zero-knowledge, A; cannot get the infor- 
mation about usk,...,usk, and the corresponding oj,...,o, in the 
authentication query phase. If x, can pass verification by Z.Verify, 
then A; must use usk, to generate the tag tį. Since t, is calculated 
by H(e,usk;) and usk, is the same one, thus the two linking tags in 
i, Hy are equal, and the Hy are linked. This contradicts with our 
assumption that A, can break the linkability. 


Theorem 4 (Traceability). Assume the zk-SNARK scheme Z is proof-of- 
knowledge, then an EOLTAA scheme is traceable in the random oracle 
model. 


Proof. Suppose there exists an adversary A, that can break the 
traceability of our EOLTAA scheme with non-negligible probability. Let 
C be the challenger corresponding to A, in this game. 

The challenger C invokes S.Setup algorithm to create a key pair 
(mpk, msk) and calls Z.Setup algorithm to generate parameters pp for zk- 
SNARK, and selects two hash functions H,H’. Let MPK = (mpk, pp,H, 
H’). C also generates n key pairs (upk,,usk,),...,(upk,,usk,) by calling 
U.Setup algorithm. Then, C sends MPK, upky,...,upk, to Ag. Next, Ag 
runs U.Setup to create a key pair (upk,, usk,), and sends upk, to C. 
C will return a corresponding o, by running S.Sign algorithm. When 
Ag sends a public key upk; E€ {upk,,...,upk,} to C, C will call S.Sign 
algorithm to return a corresponding o;. And when A, sends a public 
key upk; € {upk,,...,upk,} and a message m; to C, C will return an au- 
thentication token z; by calling the simulator algorithm of zk-SNARK. 
Finally, A; selects two messages m{, m} sharing a common event, and 
generates the corresponding Ti, T3, and outputs (mý, Ti), (m3, z3). 

If zï z can pass verification by Z.Verify, then we can call the 
extractor algorithm of zk-SNARK to extract the corresponding witness 
(upk,,usk,,o,), and upk, can also be easily obtained by invoking the 
function F according to usk,. Since we have proved that our EOLTAA 
scheme is unforgeable, thus A, cannot forge a valid certificate. How- 
ever, Ag only has (upk4,usk,4,0,4), so xï, z3 must be generated by 
using (upk,,usk,4,0,). Therefore, the advantage that Ap can break the 
traceability is negligible. [] 


5.3. Practical instantiation 


We instantiate S and U using the Schnorr signature [59] as the sig- 
nature scheme, which is used to create a user’s certificate and key pair, 
and instantiate Z using the implementation proposed by Ben-Sasson 
et al. [60], respectively. 
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Table 2 Table 3 
Functionality comparison of different schemes. Running time comparison of different schemes. 
Scheme [14] [6] [20] [21] Ours Scheme [6] [20] [21] Ours 
Anonymity v v A v v Authentication (ms) 93.64 21.38 68.22 970.23 
Linkability v v v v v Verification (ms) 89.17 42.92 12.29 5.34 
Traceability x v v v v 
Table 4 
Size, storage and communication cost comparison of different schemes. 

Let G be a group of prime order q and g be a generator. Let H, : Scheme [6] [20] [21] Ours 
{0,1}* — Zp Hy {0,1}* x {0,1}* — Zy be two hash functions. Authentication size (kB) 0.80 0.17 1.30 0.12 
Pick a secret key x € Z, as the signing key and compute y = g*, and Storage cost (kB) 0.81 0.18 1.32 0.19 

Communication cost (kB) 0.81 0.18 1.32 0.19 


set (G, q, g, y, H,) as the verification key of the signature algorithm. For 
a user, he first picks a secret key x; € Z} and generates a public key 
y; = g*i. To issue a certificate, randomly select r € Z, and calculate 
h = g", and compute s = r + cx where c = H (y; || h), and set c; = (c, s) 
as a certificate for the user with a public key y;. 

To create an authentication token, a user chooses e € Z}, p € Z, 
to form a message e || p, and generates two tags t; = H,(e,x;), h = 
Hy(e, x; || y) +p- x; The user with the witness (x;, y;, c, s) only needs 
to prove that the relation y; = gi Ag’ = h- yf Ati = Hyl(e,x) Ah = 
H,(e, x; || y)+p-x; holds. Specifically, to prove upk; = F (usk;), the user 
only needs to certify that y; = g*'; to prove S.Verify(upk;,o;,mpk) = 1, 
the user shows that g5 = h - y°. 

We show that the correctness of our instantiation. First, it is obvious 
that the verification algorithm is correct. We have a key pair (x;, y;) 
such that y; = g*' and possess a certificate (c, s), where c = H, (y; || A) 
and s =r + cx, and only to compute h = g‘y~“ and verify if c is equal 
to H, (y; || 4). The link algorithm is correct as follows. Given two valid 
authentication tokens z, = al, tln’) and m, = (4.5.07) and the same 
event identifier e, we have the following relations: ti = H3 (e, x;) = f 
Finally, we show that the trace algorithm correctly works. Given two 


linked authentication tokens z, = l, thn’) and m, = e, A n), where 


2 


t! = Hole, x;), t} = Hale, x; || yi)+p1 xX; t? = Fhe, x;), and 15 = Hy(e, x; || 


2_41 
5-1, 
i) +p. -x;, we have x, = +. 
Ji 2 is i P2—P| 


5.4. Implementation 


We implement our EOLTAA scheme based on libsnark [61], which 
is a library that implements zk-SNARKs in C++. We analyze the per- 
formance of our scheme as follows. 

Firstly, we will discuss the functionalities of our EOLTAA scheme 
and make a comparison with some recent anonymous authentica- 
tion schemes achieving linking and/or tracing, such as linkable ring 
signatures [14] and linkable group signatures [20,21] and linkable 
anonymous credentials [6], as shown in Table 2. As all of these schemes 
hold the basic anonymity, we mainly pay attention to linkability 
and traceability. [14] ensures the linkability without the traceability, 
while [6], [20] and [21] achieve the linkability and traceability simul- 
taneously. As shown in Section 5, we have proved that our EOLTAA 
scheme has satisfied the security requirements, i.e. our scheme also 
supports the basic linkability and traceability. 

Secondly, we will analyze the efficiency of our EOLTAA scheme. We 
evaluate the performance of EOLTAA on a computer with AMD Ryzen 
5 3600 6-core processor running Ubuntu 20.04. We set the security 
parameter A = 160, and use the SHA-256 as the secure hash function. 
Next, we select the recent anonymous authentication schemes with 
constant size, and demonstrate the performance in terms of running 
time, size, storage and communication cost in Tables 3 and 4. Note 
that, these above group signature and ring signature schemes can also 
be reviewed as authentication schemes in some degree, thus we regard 
a signature as an authentication on a message below. 


(1) Running Time: Now, we first analyze the running time of the 
authentication process. To authenticate a message, we should use 
the libsnark library to generate a non-interactive zero-knowledge 
proof, thus we list the running time of the Z.Prover algorithm 


and Z.Verifier algorithm of the zk-SNARK. We use the Z.Prover 
algorithm to produce a non-interactive proof, and the proof gen- 
eration time is 970.23 ms. Then, we verify the proof by calling 
the Z.Verifier algorithm, and the verification time is 5.34 ms. As 
shown in Table 3, we also list the running time of authentication 
generation and verification of other related schemes. It can be 
learned from the table that our EOLTAA scheme has a slightly 
longer authentication time, but with a faster verification time 
than others. 

(2) Size, Storage and Communication Cost: Now, we will analyze 
the size, storage and communication cost of the authentication 
process. We make use of the zk-SNARK to create a non-interactive 
proof for authentication. Due to the succinctness of zk-SNARK, 
the size of authentication on a message is 0.12 kB, which is 
the minimum length in these schemes in Table 4. Then, a user 
creates a token, i.e. z = (t),tp,7), and submits the message and 
authentication token pair (m, æ), thus the communication cost is 
0.19 kB. Since an anonymous authentication on a message should 
be saved as (m, x) for linking and tracing, the storage cost is also 
0.19 kB. It can be learned from the table that our EOLTAA scheme 
has a minimum length of authentication, and with a slightly 
smaller storage and communication cost. 


From the above comparisons and analyses, we can find that our 
EOLTAA scheme satisfies all the security requirements. The simula- 
tion results show that our EOLTAA scheme is feasible and efficiently 
calculated. 


6. An anonymous and traceable voting protocol based on 
blockchain 


Voting plays an important part in modern democracies, and a voting 
activity is the most straightforward fashion to execute the populace’s 
right. In fact, a ballot represent a preference for the candidate that the 
voter supported. Obviously, the integrity of voting process is of vital 
importance to the integrity of the democracy itself [62]. Even through 
various cryptographic techniques have been exploited to realize anony- 
mous voting, most traditional e-voting schemes cannot guarantee the 
transparency and the security against tampering. Fortunately, many 
solutions based on blockchain have been proposed to efficiently elimi- 
nate this issue. In this section, we present an anonymous and traceable 
e-voting protocol based on blockchain using our proposed EOLTAA 
scheme. 

Traditional e-voting systems mainly need a public bulletin board to 
realize a communication channel and store information as a database 
[63] which may suffer from data loss and modification. Centralized 
voting platforms, such as [64] and [65], always suffer from single point 
of failure, and are easily attacked from adversaries such that privacy 
leaks always happen. Some self-tallying voting protocols, like [66] 
and [67], can realize decentralized property, but they are unsuitable 
for large scale voting, because even single one that does not join in the 
protocol will lead to the failure of tallying. 


P. Li et al. 


Table 5 
Comparison among the existing blockchain-based voting schemes. 


Scheme Decentralized Anonymous Double-voting Linkable Traceable 
avoided 

[58,69,70] v v x x x 

[74,75] v x v v x 

[73,76] v y v y x 

Ours v v v v v 


Fortunately, blockchain technology is used in voting to reduce 
the dependence on centralized system and avoid single point of fail- 
ure, data modification and loss. A comparison among the existing 
blockchain-based voting schemes is showed in Table 5. In [58] and [68- 
71], all the ballots are submitted and recorded on blockchain, which 
just serves as a public and immutable database. As a matter of fact, 
double voting is always a challenge for most e-voting schemes. In order 
to avoid double voting, solutions in [72-76] are designed to eliminate 
this risk. [73] and [76] use linkable ring signature to achieve the 
linkability of two ballots that correspond to the same voter, but they 
lack of the traceability. 

All the aforementioned schemes are not applicable for wide adop- 
tion because they cannot efficiently solve the double voting. And no 
novel manners are proposed to simultaneously detect double voting and 
locate the double voter. Moreover, a common disadvantage of these 
schemes is that they cannot provide decentralization, double-voting 
resistance, linkability and traceablity at the same time. However, using 
EOLTAA, we can construct the first decentralized, anonymous, linkable 
and publicly traceable e-voting scheme based on blockchain to meet 
this need. 


6.1. Participants 


There are four entities that participate in the voting as shown in 
Fig. 1, which consists of election committee (EC), certificate authority 
(CA), blockchain voting platform and voters. 

Election Committee: An election committee is a voting organizer 
who acts as vote initiator and counter and is responsible for publishing 
voting activity and computing the final election result. 

Certificate Authority: A certificate authority is a trusted authority 
whose duty is to issue certificates to participants who want to obtain a 
certificate. 

Blockchain Voting Platform: A blockchain voting platform acts as 
a public bulletin board, which stores some public announcements and 
all voters’ ballots. 

Voters: A set of voters should register a certificate and receive a 
voting announcement, and cast their ballots to the blockchain platform. 


6.2. Security requirements 


Informally, we wish an e-voting scheme should satisfy a number of 
security requirements. 

Privacy: The content of each ballot should be protected such that 
anyone cannot obtain the real information included in the ballot. 

Anonymity: All valid voters who follow the voting protocol are kept 
secret. 

Eligibility: Only authorized voters are allowed to vote. 

Verifiability: Any party, including a bystander, can be convinced 
that all valid ballots are included in the final result when tallying. 

Unforgeability: An attacker cannot forge a voter’s identity to cast 
a ballot in the name of the voter. 

Traceability: Double voting can be detected, and it is possible 
to further infer the double voter’s identity without the help of other 
parties. 
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Fig. 1. The system model of e-voting. 


6.3. The voting protocol 


Let Ø = (®.CSetup, ®.UKeyGen, ®.CertGen, ®.Auth, &.Verify, ®.Link, 
@.Trace) be an event-oriented linkable and traceable anonymous au- 
thentication scheme, and let E = (E.KeyGen,E.Encrypt,E.Decrypt) be 
a public key encryption scheme that is semantically secure. We now 
construct an anonymous and traceable e-voting protocol, which consists 
of the following four phases: setup phase, registration phase, voting 
phase and counting phase. 

Setup: Before starting registration, setup phase is required to initiate a 
voting. 

CA first prepares the master public key MPK by running ®.CSetup 
algorithm, and sends a transaction including the public parameters to 
the blockchain network. 

Registration: Voters and the election committee should generate their 
key pairs and register a certificate with the certificate authority. 

EC runs ®.UKeyGen algorithm to create a public and secret key 
pair (pkgc»skgc), and obtains a certificate ogc from CA by calling 
@.CertGen algorithm. Similarly, a voter V, creates a public and secret 
key pair (upk;,usk;) and obtains a certificate o;. 

Voting: The election committee publishes a voting, and each voter 
anonymously casts a ballot. 

EC picks a random number vid defined as the identifier of a voting 
activity, calls E.KeyGen to create a key pair (pk,, sk,) used for encrypting 
the ballot, and sets a deadline t, a candidate list c/ and a counting 
policy Y. Then, EC creates a new blockchain account address addr gc, 
and generates meç = @.Auth(vid || addrpgc,pkgc,skec, ogc, MPK) to 
authenticate vid || addr pç. At last, EC codes a smart contract sc that 
includes all above vid, mgc, pk,, cl, t, Y, MPK, etc. in this voting, and 
sends (vid || addr gc, sc,af¢c) to the blockchain using addr gc. 

When receiving this voting, voter V, chooses one candidate and runs 
E.Encrypt to encrypt it under the public key pk, to get C;, and calls 
@.Auth algorithm to generate z; = ®.Auth(vid || C;,upk;,usk;,o;, MPK), 
and uses his newly created account address addr; to send (C,, z;) to the 
blockchain network. 

Counting: The election committee opens the encrypted ballots and 
calculates the final election result. 

Smart contract sc runs ®.Verify(vid || C;, z;, MPK) to verify each re- 
ceived ballot and authentication pair, and removes invalid ones. Then, 
it starts to detect double voting by running @.Link(C,, C,,, z;, z,.) for each 
valid (C,,,z,,) that has passed verification, and executes ®.Trace(C;, C,,, 
;,,,) to further derive the double voter’s identity. 

Then, EC collects all valid ballots which exclude these correspond- 
ing to double voting and invalid authentications, and runs E.Decrypt 
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to decrypt ballots by using sk, and calculates the final election result 
result. Moreover, EC also generates a zero knowledge proof T,esuit» 
with the secret key sk, as the witness. In particular, the proof is 
for the language L,esult {Para| Ask, s.t., pke = f(ske) AL, bi = 
E.Decrypt(sk,,C;) A result = Y(b;;b,,...,5,)}, where Para denotes the 
public parameters together with the ciphertexts C,,...,C,, b; is the 
plaintext corresponding to C;, and f is the function to verify if the two 
keys correspond to a key pair. At the end, EC sends (result, 2,5,;;) to 
the blockchain network, and anyone can check the final election result 
by verifying the proof T,esult. 


6.4. Security analysis 


We discuss the security our proposed voting protocol satisfied. 

Privacy: All the ballots recorded on the blockchain are encrypted 
by the key pk, of the public key encryption scheme E. We assume the 
encryption scheme is semantically secure, thus the encrypted ballots 
will not leak information to the public. And only the election committee 
who acts as the initiator and has the secret key sk, can decrypt them. 

Anonymity: A randomly generated blockchain address addr, elim- 
inates the risk of locating a certain voter through several transactions 
he has ever involved. Since the ® scheme is anonymous, y is a zero- 
knowledge proof that leaks nothing useful information, and 1), t, in 
the generated authentication token z; correspond to two random num- 
bers, i.e., the proof and tokens reveal nothing about a certain voter’s 
identity information. Furthermore, any one, including the certificate 
authority and the election committee, cannot distinguish which ballot 
corresponds to which voter. 

Eligibility: A legitimate voter should register at the certificate 
authority and obtain a corresponding certificate binding his identity 
information. Then he can create a valid authentication to attest his 
validity, and everyone can verify the correctness. However, for an 
illegitimate user who did not obtain a certificate from the certifi- 
cate authority, he cannot create a valid authentication without an 
indispensable certificate. 

Verifiability: The whole voting process is showed on the blockchain 
voting platform, from which anyone is capable of checking all the 
ballots and the corresponding authentication tokens, and of verifying 
whether they are valid or not by running ®.Verify algorithm. And the 
final election result result can be verified by checking the validity of 
the proof Z,..i1+ 

Unforgeability: Each ballot-token pair (C;,,;) recorded on the 
blockchain is visible for the public, but both the encrypted ballot and 
the token are the same as randomly generated numbers. The ® scheme 
is unforgeable, so it is impossible to forge a voter’s private information, 
such as secret key and certificate, to create a valid authentication token 
that can be successfully accepted through ®.Verify in the name of the 
voter. 

Traceability: In a voting activity with a fixed identifier vid, every 
voter is allowed to cast one ballot together with a token, which in- 
cludes a linking tag t, and a tracing tag t. ® scheme is linkable and 
traceable, so if a voter tries to cast twice, the two linking tags will 
lead to the linkability of the two tokens since the same hash value of 
H(vid,usk;). Therefore, we can accurately locate the origin of double 
voting. Furthermore, with the help of ® scheme, two tracing tags in 
the two tokens are designed to reveal the identity of this double voter. 
That is to say, ® scheme provides a novel solution in which double 
voting can be detected and the anonymity is further removable through 
deriving the double voter’s identity without the help of other parties. 


7. Conclusion 


In this paper, we propose a new variant of anonymous authen- 
tication called event-oriented linkable and traceable anonymous au- 
thentication that simultaneously achieves unforgeability, anonymity, 
linkability and traceability. All these properties of our scheme are 
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proven secure. Then, we give a generic construction to satisfy the 
security requirements. In particular, we use this variant to construct the 
first decentralized, anonymous, linkable and traceable e-voting based 
on blockchain, and analysis the security of our e-voting scheme. 
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